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Abstract. Spatial conjunction is a powerful construct for reasoning about dynamically al- 
located data structures, as well as concurrent, distributed and mobile computation. While 
researchers have identified many uses of spatial conjunction, its precise expressive power 
compared to traditional logical constructs was not previously known. 

In this paper we establish the expressive power of spatial conjunction. We construct an 
embedding from first-order logic with spatial conjunction into second-order logic, and more 
surprisingly, an embedding from full second order logic into first-order logic with spatial 
conjunction. These embeddings show that the satisfiability of formulas in first-order logic 
with spatial conjunction is equivalent to the satisfiability of formulas in second-order logic. 
These results explain the great expressive power of spatial conjunction and can be used 
to show that adding unrestricted spatial conjunction to a decidable logic leads to an un- 
decidable logic. As one example, we show that adding unrestricted spatial conjunction to 
two-variable logic leads to undecidability. 

On the side of decidability, the embedding into second-order logic immediately implies the 
decidability of first-order logic with a form of spatial conjunction over trees. The embedding 
into spatial conjunction also has useful consequences: because a restricted form of spatial 
conjunction in two-variable logic preserves decidability, we obtain that a correspondingly 
restricted form of second-order quantification in two-variable logic is decidable. The result- 
ing language generalizes the first-order theory of boolean algebra over sets and is useful in 
reasoning about the contents of data structures in object-oriented languages. 


Keywords: program specifi cation, separation logic, spatial conjunction, second-order 
logic, shape analysis, two-variable logic 


1 Introduction 


Separation logic with spatial conjunction operator was introduced as a technique for 
local reasoning about shared mutable data structures [25,44] and proved to be remark- 
ably effective [4,5, 12, 13,43,45]. Similar constructs are present in formalisms based on 
process calculi and ambient calculi [10, 11, 14-17,35]. 

Despite the increasing range of results and applications of separation logic, the pre- 
cise expressive power of spatial conjunction constructs is often not known. For example, 
the authors in [14,20] use the formalism of edge-labelled multigraphs and observe great 
expressive power of spatial logic for describing paths in a graph, but suggest that the 
relationship with second-order logic in this setting is not straightforward. 

In [30,31] we defi ned the notion of spatial conjunction for arbitrary relational struc- 
tures. Our notion of spatial conjunction splits relations into disjoint subsets and has a 
natural semantics that works for relations of any arity. The interpretation over relational 
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structures is an important step in enabling the combination of spatial conjunction with 
the traditional fi rst-order and second-order logics [2, 24, 39] and their fragments. One 
such decidable fragment of fi rst-order logic that is useful for reasoning about the heap is 
two-variable logic with counting [23], whose variable-free counterpart is role logic [28]. 
In [30, 31] we present a combination of two-variable logic with spatial conjunction 
defi ned on relational structures and show that it is useful for specifying generalized 
records that formalize role constraints [27]. To preserve the decidability of the nota- 
tion, [30] imposes the following restriction on spatial conjunction: spatial conjunction 
may only be applied to formulas of (counting) quantifi er nesting at most one. Under this 
assumption, we show that spatial conjunction can be eliminated using syntactic opera- 
tions on formulas, which means that spatial conjunction not only preserves decidability, 
but leaves the expressive power of two-variable logic with counting unchanged. 

Given the results in [30], a natural question to ask is: are we imposing an unneces- 
sarily strong restriction by not allowing application of spatial conjunction to formulas 
with nested quantifi ers; in particular, what is the decidability of logic that allows spatial 
conjunction of formulas with two nested quantifiers? The present paper gives an an- 
swer to this question: we establish that allowing spatial conjunction for formulas with 
nested quantifi ers leads to an undecidable logic. This undecidability result turns out to 
be a consequence of an unexpectedly fundamental connection: spatial conjunction can 
represent second-order quantification. We obtain a striking contrast on the expressive 
power of logic depending on the use of spatial conjunction: if applied to formulas with 
no nesting of first-order counting quantifi ers, the result is still two-variable logic with 
counting; if applied to formulas with nested fi rst-order quantifi ers, the resulting formu- 
las can represent second-order formulas. This contrast can be viewed as a justifi cation 
for the restriction imposed in [30]. 

Because it applies to both decidable and undecidable logics, the embedding of 
second-order logic into spatial conjunction yields not only undecidability, but also de- 
cidability results. Using the restriction on the use of spatial conjunction with the trans- 
lation of second-order quantifi ers yields a decidable notation with second-order quanti- 
fi ers. This notation leads to a generalization of boolean algebra of sets to two-variable 
logic with counting extended with a form of second-order quantifi cation; such notation 
is useful for reasoning about data structure abstractions [32, 33]. 

We also note that graph reachability, inductive defi nitions, spatial implication, and 
a parameterized version of spatial conjunction are all expressible in second-order logic. 
An interesting consequence of the embedding of second-order quantifi ers into spatial 
conjunction is that all these constructs are expressible using spatial conjunction alone. 

Moreover, the converse embedding holds as well: spatial conjunction is expressible 
in second-order logic. Together, these two results lead to a particularly simple charac- 
terization: spatial conjunction and second-order logic are equivalent (see Proposition 1 
and Proposition 2 for the precise formulation of this equivalence). 

The translation from spatial logic to second-order logic also has useful conse- 
quences. Namely, if we restrict the set of models to unions of trees, then monadic 
second-order logic is decidable. By translating restricted spatial logic formulas to 
monadic second-order logic, we obtain that spatial logic is decidable over trees as well. 

In general, the equivalence for satisfi ability between spatial conjunction and second- 
order logic improves our understanding of spatial conjunction and suggests that the 


defi nition of spatial conjunction on relational structures is a natural one. While it is 
less surprising that second-order logic can express the defi nition of spatial conjunction 
(we have observed this already in the technical report [31]), we found it quite sur- 
prising that spatial conjunction in first-order logic can express the entire second-order 
logic. The idea of both directions of our translation is remarkably simple, and this sim- 
plicity is reflected in the linear time complexity of formula translations: translation of 
spatial conjunction connectives into second-order logic mimics the semantics of spa- 
tial conjunction in terms of the existence of disjoint relations, and the translation from 
second-order logic into spatial conjunction takes the advantage of the non-determinism 
in splitting of the heap to simulate the existential quantifi er. 


Contributions. We summarize the contributions of this paper as follows. 


1. We construct an equivalence-preserving translation of spatial conjunction into 
second-order quantifi ers. We then show that this translation implies decidability 
of the first-order logic with a spatial conjunction interpreted over tree structures, 
when spatial conjunction splits only unary predicates. 

2. We construct a satisfi ability-preserving translation of second-order quantifi ers into 
spatial conjunction, and derive the following consequences: 

(a) first-order logic with spatial conjunction has the expressive power of second- 
order logic, even if restricted to two first-order variables, and even if spatial 
conjunction is applied only to formulas of first-order quantifi er nesting at most 
two (similar result holds for parameterized spatial conjunction that splits only 
unary predicates: the resulting logic is equivalent to monadic second-order 
logic); 

(b) two-variable logic with counting extended with second-order quantifi ers that 
apply only to formulas with quantifi er nesting at most one can be translated 
into two-variable logic with counting, and is therefore decidable; 

(c) graph reachability, inductive defi nitions, spatial implication, and generalized 
spatial conjunction are all expressible using first-order logic with spatial con- 
junction. 


2 Preliminaries 


In this section we present our defi nitions of relational structures as well as the semantics 
of second-order logic and spatial conjunction. 


2.1 Relational Structures 


Figure | presents the semantics of second-order logic formulas in relational structures, 
which is mostly standard. We use Var to denote fi rst-order variables with typical repre- 
sentatives x, 7;. We use %’ to denote second-order variables (predicates), with a typical 
representative P, or P“) when we wish to specify that the predicate symbol has arity 
k; alternatively we write ar(P) = k. 

For convenience we fi x a universe U of all relational structures in a given context; 
we assume U is countable, but the cardinality of U does not play an important role 
for us. A relational structure, denoted e, is a valuation for first-order and second-order 
variables. As in first-order logic, for a first-order variable x, e(a) € U is an element 
of the domain, and for a predicate symbol P of arity ar(P) = k, e(P) C U*") isa 
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Fig. 1. Semantics (Interpretation) of Second-Order Formulas in Relational Structures 


relation of arity k. In this way we merge the model and the variable assignment, which 
makes it natural to defi ne second-order quantifi cation as in Figure 1. If v is a first-order 
or second-order variable, we use the standard notation e[v := a] to denote the updated 
relational structure such that e[v := a](v) = a and elv := a](v1) = e(v1) for v1 F v. 
We treat equality in formulas as a logical symbol and interpret it in the standard way. 


2.2 Spatial Conjunction 


Figure 2 introduces our notion of spatial conjunction, denoted ®. We illustrate the in- 
tuition behind the defi nition of ® in terms of combining the structures for which the 
formula is true. Suppose 1’ = {P (2)y has only one binary relation symbol, so the rela- 
tional structures are graphs. If e; is a structure such that M|F\]Je, and eg is a structure 
such that M|[F>]e2, then if the edges of e;(P?)) and e2(P)) are disjoint, the struc- 
ture with relation e(P°)) = e;(P)) U e2(P) satisfies M[K @ Fy]e. In general, 
there is one relation e for each pair of models e; and e2 that can be combined. There 
are three models of F ® F2 in Figure 2; there is only one pair of relations that cannot 
be combined, because of an overlapping edge from w to x. 

The defi nition of spatial conjunction in Figure 2 is identical to the one we use in [30, 
31]. In our setup, similarly to other notions of spatial conjunction [15,25], a formula 
F’, ® F holds for a relational structure if and only if the structure can be split into two 
disjoint structures where F’, holds for the first component and F; holds for the second 
component. The difference with [15] is that we use general relational structures which 
correspond to labelled graphs as opposed to multigraphs. Our notion of splitting of 
relational structures, given by condition splitStruct, (e, e1, e2), reduces to partitioning 
each relation in o. For the defi nition of spatial conjunction ® we let o = + where 
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Fig. 2. Semantics of Spatial Conjunction @. 
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Fig. 3. Parameterized Spatial Conjunction ®, 


2; is the set of all relation symbols; it is also natural to allow a generalized spatial 
conjunction ®, in Figure 3 that takes the set of predicate symbols o as an argument, 
then splits relations in o and preserves the relations in ©’ \ o. For example, if we let 
o = ¥(), then the conjunction ®, splits only unary relations. The results of this paper 
imply that ®s corresponds to full second-order logic, whereas ® 51) corresponds to 
monadic second-order logic. 

Our defi nition of spatial conjunction above is not the only one possible, but there 
are several reasons to consider it as a natural defi nition of spatial conjunction: 


— Our defi nition is close to the defi nition of [25]. A relational structure can represent 
a store by modelling each store location as a pair of an object and one of the fi nitely 
many predicate symbols; this view is appropriate for type-safe languages such as 
Java, ML, and O’Caml. 

— The only difference compared to [15] is that we use relations as sets of tuples 
where [15] uses multigraphs as multisets of tuples; we believe that our results can 
provide useful insight into languages such as [15] as well. 

— With the appropriate defi nition of spatial implication —® (Figure 8) corresponding 
to conjunction ®, our model validates the axioms of bunched implications [25,42]. 

— Wecan naturally describe concatenation of generalized records [30,31], which can- 
not be expressed using standard logical operations. 


The main claim of this paper is that our notion of spatial conjunction is equivalent 
for satisfi ability to second-order quantifi cation. This equivalence can be viewed as an- 


other argument in favor of the defi nitions we adopt. We proceed to demonstrate both 
directions of the equivalence, and then present some consequences of the result. 


3 Representing Spatial Conjunction ® in Second-Order Logic 


In this section we give a translation from the fi rst-order logic with spatial conjunction 
to second-order logic. The consequence of this translation is an upper bound on the ex- 
pressive power of spatial conjunction. Because our translation applies to all relational 
structures, if we restrict the set of relational structures so that second-order logic be- 
comes decidable, then the corresponding spatial logic is decidable on the restricted set 
of structures as well. 
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Fig. 4. Translation of Spatial Conjunction into Second-Order Logic 


Figure 4 presents the translation from fi rst-order logic extended with spatial conjunction 
into second-order logic. The translation directly mimics the semantics of ® and follows 
from the fact that second-order logic can essentially quantify over its entire domain and 
can express disjointness of relations. Indeed, the truth value of a formula depends only 
on fi nitely many first and second-order variables, and second-order logic can quantify 
over each of these variables, which amounts to quantifi cation over relational structures. 


The translation in Figure 4 introduces two fresh predicate symbols P/, P!’ for each 
predicate symbol P; and asserts that P/ and P/’ split P;. The translation then replaces 
the predicates P; with the corresponding predicates P/ in the first formula F’, and 
replaces the predicates P; with the predicate P/’ in the second formula F’’. The cor- 
rectness of the translation follows from the defi nitions, using lemmas in Figure 4 and 


structural induction. We conclude the following. 


Proposition 1. If F is a second-order logic formula potentially containing spatial con- 
junction, then RT~@2|F] is an equivalent second-order logic formula without spatial 
conjunction; we have M[RT@42[F ]]e = MIF ]e for all relational structures e that 
interpret F’. Moreover, if F' is a monadic second-order logic formula with ® sq) as the 
only spatial conjunction operator, then the resulting formula is a monadic second-order 
logic formula. 


4 Representing Second-Order Quantifiers using ® 


This section shows that second-order quantifi ers can be represented using spatial con- 
junction. Among the consequences of this result are the fact that first-order logic with 
spatial conjunction has the expressive power of second-order logic (even if restricted 
to two first-order variables where the spatial conjunction connects only formulas of 
first-order quantifier nesting at most two), that two-variable logic with counting ex- 
tended with second-order quantifi ers that apply only to formulas with quantifi er nesting 
at most one is decidable, and that inductive defi nitions, spatial implication, and general- 
ized spatial conjunction are expressible using fi rst-order logic with spatial conjunction. 

Figure 5 presents the translation of second-order quantifi ers into spatial conjunction. 
As in the case of the converse translation in Section 3, the intuition behind the transla- 
tion is to exploit the semantics of spatial conjunction in Figure 3. This time, however, 
we use the more complex operation—splitting of relational structures—to simulate an 
existential quantifi er over relations, which leads to apparent diffi culties. At first sight 
it appears that heap splitting fails to have the effect of an existential quantifi er over a 
relation predicate, for two reasons: 


1. splitting relational structures splits existing relations, which means that the inter- 
pretations of relations in the resulting structure are subsets of the interpretation of 
relations in the enclosing structure; 

2. splitting of relational structures splits all relations, and not just the interpretation of 
one predicate. 


We solve both of these problems when translating a formula Fo with second-order quan- 
tifi ers, as follows. We fi rst rename all bound second-order variables (denoted BV2(J)) 
to ensure that they are all distinct and that they differ from the free variables in Fo. In 
the translated formula, even the bound second-order variables BV2(F‘)) become free 
second-order variables, which are allowed in first-order logic. To solve the first prob- 
lem, instead of considering all possible relational structures e, we consider only those 
relational structures that map the variables BV2(Fo) to full relations; we use the con- 
junct allpreds to ensure that only such structures are considered for the interpretation of 
the final translated formula FZ_.@ [Fo]. We translate the formula using the recursive 
translation function denoted 72_,@|F'], which walks the formula tree and applies the 


BV2(F’) — second-order variables bound in F 
V2(F’) — second-order variables in F 
Fo — a formula without spatial conjunction ® 
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final translation of a formula: 
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Fig. 5. Translation of Second-Order Quantifiers into Spatial Conjunction 


translation of the existential quantifi er. The translation of the existential quantifi er, de- 
noted To. |[-], replaces the quantifier IP. F with the formula nonebut(P) ® F’. The 
spatial conjunct nonebut(P) solves the second problem above, by asserting that all rela- 
tions other than P are empty, and leaving the interpretation of relation P unconstrained. 
As aresult, the interpretation of P in F is arbitrary, achieving the effect of existential 
quantifi cation, and the interpretations of the remaining quantifi ers remain the same, as 
desired. 

Soundness of the translation in Figure 5 is given by equisatisfi ability, or equiva- 
lence on a reasonably restricted class of structures, as summarized by the following 
proposition. 


Proposition 2. Let Fo be a second-order logic formula in which each bound variable 
is distinct from all other variables in Fo. Then FTz.@| Fo] is a formula in first-order 
logic with spatial conjunction, such that Fo has a model if and only if FTx@|Fo] 
has a model. Moreover, if e ranges over structures that assign full relations to predi- 
cate symbols not free in Fo, then the transformation is equivalence preserving, that is, 
M([Fole if and only if M|F T2@|Folle. Finally, if all second-order quantifiers in Fo 
are monadic, then Fo can be translated into formula containing only ® sa) instead of 
®. 


5 Consequences of the Equivalence 


This section presents the consequences of the equivalence between spatial conjunction 
and second-order quantifi cation. 


5.1 Spatial Conjunction on Tree Structures is Decidable 


This section summarizes one interesting consequence of the equivalence between spa- 
tial conjunction and second-order logic with respect to tree structures. 

Let us restrict our attention to relational structures that interpret predicates of arity 
at most two. Such relational structures correspond to graphs with labelled nodes and 
edges. We say that a relational structure is a forest if the directed graph obtained by 
erasing all labels is a directed forest, where by a directed forest we mean a directed 
graph with no cycles where each node has an in-degree at most one. We then have the 
following lemma. 


Lemma 3. /f ¢ is a forest, and splitStruct s(e, €1, €2) holds, then both e, and eg are 
forests. 


The previous lemma easily follows by contraposition: if e; or eg have a cycle so does e, 
and if e; or e2 have a node with in-degree two or more, so does e. This lemma implies 
that, when evaluating the meaning M|[F'e of formula in first-order logic with spatial 
conjunction, it suffi ces to restrict the top-level structure e to be a forest for all structures 
occurring in the semantics of subformulas of F' to be forests, which means that the se- 
mantics of spatial conjunction over forests is equivalent to the semantics in Figure 1. 
Using Proposition 1 we then obtain as a special case M[FJe == M[RT@42[F le. 
By decidability of monadic second-order logic over trees [18], we conclude the follow- 
ing. 

Proposition 4. The satisfiability (and therefore the validity) problem of first-order logic 
extended with spatial conjunction ® sa) is decidable. 


5.2 Undecidable Extension of Two- Variable Logic 


This section notes a consequence of Proposition 2 on extensions of decidable fragments 
of fi rst-order logic with spatial conjunction. It is motivated by the following fact, proven 
in [30]: 


Fact 5. Two variable logic with counting extended with spatial conjunction on formu- 
las with no nested counting quantifiers is decidable. 


A natural question to ask is: what is the decidability of the notation if we allow spatial 
conjunction of formulas with quantifier nesting two or more. The answer is that the 
resulting notation is undecidable. Namely, if we have only binary relation symbols, we 
obtain a logic equivalent to full second-order logic, and already first-order logic in the 
language with binary relation symbols is undecidable. 

The reason for obtaining second-order logic when allowing spatial conjunction of 
formulas with nested quantifi ers is that it is possible to simulate fi rst-order quantifi ers 
using second-order quantifi ers. We can represent a first-order variable such as x by a 
second-order variable P,, bounded by the property 4)z.P,(z), and then replace each 
binary relation symbol f(x, y) with a formula of the form 


Vu.Vu. P,(u) A Py(v) > f(u,v), (1) 


which uses only two first-order variables and has quantifi er nesting of two. Similarly, 
the use of a unary relation symbol P() can be replaced by Vu. P,(u) > P(u). 

Now consider a second-order logic formula with binary and unary relation symbols 
and no restrictions on the number of fi rst-order variables. As described above, we can re- 
duce such formula to an equisatisfi able formula that uses only two fi rst-order variables. 
We can then apply the translation in Figure 5 to eliminate second-order quantifi ers. 
Because formulas allpreds and nonebut(P) have the quantifi er depth at most one, the 
result is a formula with spatial conjunction that is applied to quantifi ers of depth at most 
two and that uses at most two first-order variable names. Moreover, the resulting for- 
mula is equisatisfi able by Proposition 2. Because the satisfi ability of second-order logic 
formulas is undecidable, the translation of second-order logic formulas into formulas 
with spatial conjunction implies undecidability of formulas with spatial conjunction 
applied to formulas with quantifi ers depth of two or more. 


Proposition 6. Two variable logic with counting extended with spatial conjunction ® 
on formulas with quantifier nesting at most two is undecidable. The result applies to 
spatial conjunction ® sq) as well. 


5.3. Decidable Second-Order Quantification in Two- Variable Logic 

We next state a positive consequence of the Fact 5 and Proposition 2. 

Proposition 7. Two variable logic with counting extended with second-order quantifi- 
cation on formulas with no nested counting first-order quantifiers is decidable. 

Just like the previous Proposition 6, Proposition 7 follows from applying the translation 
in Figure 5 and observing that the resulting formula has no nested fi rst-order quantifi ers, 
and is equisatisfi able by Proposition 2. Applying Proposition 5, we can decide the sat- 


isfi ability of the resulting formula, which gives the satisfi ability of the original formula 
as well. 
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To see why Proposition 7 is interesting, note that Proposition 7 places no restrictions 
on the number of second-order quantifi ers used on a formula with no nested fi rst-order 
quantifi ers. Next, recall that monadic second-order logic of a set (with no relation sym- 
bols) is just the fi rst-order logic of boolean algebra of sets, which is decidable by quan- 
tifi er elimination [48] (for an overview of quantifi er elimination for boolean algebra see, 
for example, [29]). We therefore observe that the language permitted by Proposition 7 
is a proper generalization of boolean algebra of sets; it is a generalization that allows 
stating set properties in a neighborhood of a pair of objects given by two free variables 
of a formula in two-variable logic with counting. 

While we have found the fi rst-order theory of boolean algebra of sets to be useful for 
reasoning about the content of global data structures [32], the generalization presented 
in this section allows reasoning about sets that exist in the neighborhood of an object 
denoted by a first-order variable. In other words, this specifi cation language allows us 
to reason about the content of data structures associated with individual objects (which 
are common in object-oriented programming languages), as opposed to just reasoning 
about global data structures. 

Comparing the results of this section and Section 5.2, we note the crucial role of the 
restriction on quantifi er nesting: with no nested fi rst-order quantifi ers, it is not possible 
to use second-order variables to simulate fi rst-order variables because it is not possible 
to establish the correlation of the form (1). 


5.4 Expressing Inductive Definitions and Spatial Implication 


We next review the fact that inductive defi nitions (and therefore transitive closure) are 
defi nable in second-order logic. This fact is of interest because it implies that inductive 
defi nitions can be represented using spatial conjunction, which leads to a surprising 
conclusion that inductive defi nitions do not increase the expressive power of fi rst-order 
logic with spatial conjunction. We similarly observe that the spatial implication corre- 
sponding to spatial conjunction is expressible in second-order logic and therefore ex- 
pressible using spatial conjunction. All these consequences follow from Proposition 2. 


Mlletrec P (a1,...,a%) = F in G] a, M[G[P™ := LFP pe) 0, ,..,0, FI 


MILEP pte) oy,....0, F(Yts- yee <S 
(e(y1),---,e(ye)) € Ifpr{(v1,..., ve) | M[FJe[P® := 1, a1 := 01,..., 2% = vel) 
Fig. 6. Semantics of Inductive Definitions 


Figure 6 presents the semantics of inductive defi nitions. The syntax of the least- 
fi xpoint operator is 


LEP p63 oy,.ane2 (igs UE) 


where F' is a formula that may contain new free variables P“*) x1,...,a,. The mean- 
ing of the least-fi xpoint operator is that the relation which is the least fi xpoint of the 
monotonic transformation on predicates 


(Av1,...,¢%.P (a1,...,2%)) 9 (Avi,...,¢¢-F) 


holds for y1,...,Y%. To ensure the monotonicity of the transformation on predicates, 
we require that P“) occurs only positively in F’. 
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Tind—2 [LF P pie) 4... 2n F(yi, fei Yn) = 
VP. (Va1,...,0n-(F & P(a1,.-.,2n))) > Plyi,---, Yn) 


Soundness: 


M[Fina2[LFP pie) o1,...2n F(m, Se Be Yn [Je = MILFP pte) 21 ,...2n F(m, ee. ,Yn)]e 
Fig. 7. Expressing Least Fixpoint in Second-Order Logic 


Figure 7 shows that least fi xpoint operator is expressible in second-order logic. The 
property that P is a fi xpoint of Fis easily expressible. To encode that y,..., yn hold 
for the least fi xpoint of F’, we state that y,..., Yn hold for all fixpoints of F’, using 
universal second-order quantifi cation over P. 


M[F'-®F "Je Ss Vel," (splitStruct,,(e”,e,e’) A M[F’Je’) = M[F”Je” 


Teo[F'@F "| = VPI,...,Pl,PM,..., PM. 
™_, synSplitRel(P.’, P:, P/) A F’[P; := Pi) => 
t=1 
F"[P, = Ply 


Fig. 8. Semantics of Spatial Implication 


Figure 8 presents the semantics of the spatial implication operation that along with 
spatial conjunction ® validates the axioms of bunched implications [25,42]. Figure 8 
also presents the translation of —@ into second-order logic; the translation is analogous 
to the translation of spatial conjunction in Figure 4. (As usual, the universal quantifi ers 
can be expressed using the existential quantifi er and negation.) 

We summarize the results of this section as follows. 


Proposition 8. Graph reachability, inductive definitions, spatial implication, and gen- 
eralized spatial conjunction are all expressible using first-order logic with spatial con- 
junction. 


6 Related Work 


The use of separation logic for reasoning about shared mutable data structures started 

recently [25,44] using ideas from [9] and proved very fruitful [5, 12, 13,43, 45]. Our 

notion of spatial conjunction is defined on relational structures rather than on map- 
pings from memory locations to values, but our model can represent a location as a 

pair containing 1) an object and 2) one of the finitely many field names. Relational 
structures can naturally represent memory models of languages with destructive up- 

dates [8,34, 36,37, 46,47,51] and can also model concurrency and temporal logic spec- 

ifi cations [52,53]. 

Process calculi [11] and ambient calculi [17] can reason about space and locality 
as well as concurrency; these ideas also extend to graph-based structures [14, 15]. The 
results closest to ours are are [14, 15,20]; they are based on edge-labelled multigraphs, 
and do not establish the full equivalence with second-order logic. Graph-based struc- 
tures in [15] are close to the relational structures that we use, but use multisets of edges 
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instead of sets of edges. Similarly to spatial logic, type systems for reasoning about 
aliasing [21, 22,49, 50] typically contain join operators that combine independent por- 
tions of store, although they are often based on linear types as opposed to separation 
logic. 

Our work clarifies the relationship between separation logic and traditional fi rst- 
order logic [39] and second-order logic [2] and explains surprising expressive power 
of spatial conjunction without inductive defi nitions in expressing reachability proper- 
ties [14, 15]. The understanding of separation logic in connection to other formalisms 
is useful both for manual reasoning [5] and automated reasoning about programs with 
shared mutable data structures [1, 6,7, 10, 19,34, 36,37,40,41,46,47]. Decidability and 
complexity results of underlying logics and constraint systems are particularly impor- 
tant for automated reasoning [3, 4, 12, 13, 26, 35,38]. 

We have previously used the notion of spatial logic on relational structures in 
[30, 31] and presented a novel use of spatial conjunction to describe concatenation of 
generalized records. In [30,31] we take advantage of the defi nition of spatial conjunc- 
tion on relational structure to combine it with a fragment of fi rst-order logic: we present 
a decidable extension of two-variable logic with counting and its variable-free version 
role logic [28]. The encoding of spatial conjunction in second-order logic appears in 
the technical report [31]; we have since discovered the converse (and to us more sur- 
prising) encoding. The converse encoding gives justifi cation to the restriction in [30] 
by showing that the absence of the restriction leads to an undecidable, and in fact, ex- 
tremely expressive, logic. Moreover, the results of the present paper show how to use 
second-order quantifi ers in two-variable logic while preserving decidability. The result- 
ing notation generalizes the language of boolean algebra of sets, which we have found 
useful in reasoning about data structure abstractions [32, 33]. 


7 Conclusions 


In this paper we established the expressive power of spatial conjunction by construct- 
ing an embedding from fi rst-order logic with spatial conjunction into second-order logic 
and an embedding from full second order logic into first-order logic with spatial con- 
junction. These embeddings show that the satisfi ability of formulas in fi rst-order logic 
with spatial conjunction is equivalent to the satisfi ability of formulas in second-order 
logic. This equivalence implies new decidability and undecidability results for exten- 
sions of two-variable logic with counting, decidability of (unary-predicate) spatial logic 
over trees, and the fact that inductive defi nitions, spatial implication, and a parameter- 
ized spatial conjunction are all expressible using fi rst-order logic with spatial conjunc- 
tion. Finally, our connection opens up the possibility of using second-order logic as 
a unifying framework for integrating several formalisms for reasoning about dynamic 
data structures: spatial logic, monadic second-order logic on trees and graphs, and three- 
valued structures. 


Acknowledgements. We thank the participants of the Dagstuhl Seminar 03101 “Rea- 
soning about Shape” for useful discussions on separation logic, shape analysis, and 
techniques for reasoning about mutable data structures in general. The consequences 
of the translation from second-order logic to spatial conjunction for two-variable logic 
with counting were crystallized in discussion with Greta Yorsh. 
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